Who's Afraid of the FireWire Port? Maybe - You!

Not a Good Season for PC Security

One of these days, the folks who write dictionaries are going to list "secure" as an antonym for "personal computer." After all, we recently learned that a can of compressed air can be used to break full-disk encryption like Windows Vista's BitLocker and MacOS's FileValut. And now, thanks to a security researcher from New Zealand, we're learning that FireWire ports also offer an attack vector. Ouch!

Meet 'Metlstorm' and His Attack Program, winlockpwn

Adam 'Metlstorm' Boileau is the creator of winlockpwn, which enables a Linux-based computer to disguise itself as an iPod, connect to a Windows-based PC's FireWire port and take it over, regardless of whether it's password protected. Boileau, despite his hackerish nickname, is actually a well-known security consultant.

After demonstrating winlockpwn at a security conference back in 2006, Boileau waited 18 months to see if anyone would address the vulnerability his utility exposed. Nobody did, and with the recent coverage of the physical attack on full-disk encryption, he decided it was time to go public in a March 4 interview on the Australian-based Risky Business security podcast (it starts at 12:36 into the podcast). If you're not a big podcast fan, read about it here.

How winlockpwn Works

Simply put, winlockpwn works by exploiting a well-known feature (not a bug, thank you very much!) of the FireWire (aka IEEE-1394 or i.Link) interface: because FireWire is an expansion bus (not a peripheral bus like USB), it's designed to communicate directly with memory.

Boileau's program uses some "secret sauce" to make a Linux-based PC look like a harmless iPod (enabling it to bypass access control programs that block certain types of devices from connecting to a PC) but after the PC recognizes the fake "iPod," winlockpwn can launch software to bypass passwords and create other types of havoc.

Other operating systems, including Linux and MacOS, have long been known to be vulnerable to similar hacks, but winlockpwn is the first FireWire-based attack aimed at Windows PCs. Windows XP is the primary target, but Information Week reports that an Austrian-based security company has created a similar attack method targeting Vista.

Script Kiddies Need Not Apply

Thankfully, winlockpwn isn't available as a preconfigured .exe file - Boileau has published it as a research tool for serious security researchers (but, let's face it, serious hackers will also "benefit" from it too). It requires a Linux-based PC with a FireWire port, the Python programming language, and some programming libraries. A complete list of requirements is found in Boileau's original 2006 presentation "Hit by a Bus: Physical Access Attacks in Firewire" available in PDF form on his website.

Stopping winlockpwn

Winlockpwn's ability to attack a Windows-based PC via the FireWire port is based on the FireWire port's being active. So, the easiest way to stop winlockpwn is to disable your FireWire ports when they're not in use! Use BIOS routines to disable onboard FireWire ports, and the Windows Device Manager to disable card-based ports. Because winlockpwn can also be launched after plugging in a CardBus (32-bit PC Card) FireWire card into a "locked" PC, use Device Manager to disable the CardBus slots when they're not in use. If you'd rather use access control software to secure your PC, keep in mind that winlockpwn imitates 'harmless' devices, so you'd better configure the software to permit no access by any type of FireWire device (until it's time to plug in your DV camcorder or FireWire drive or scanner, that is).

Panic? No! Reasonable Caution? Yes!

So, how should you react to the news that winlockpwn is stalking the Windows PC world? It isn't necessary to sleep with your laptop under your pillow, but you should secure it when you're not using it. Keep your office door locked when you're on break or at lunch, and put those FireWire ports to sleep when you don't need them for video capture or editing jobs.

----------------------------------------

Getting ready to take Vista for a spin, now that SP1's almost here? Arm yourself (or your office mates or family) with an easy-to-read guide that gives you the inside track: Maximum PC Microsoft Windows Vista Exposed, available at Amazon.com and other fine bookstores.

Comments

Firewire is useless. It will allow someone to compromise my system but I am unable to Connect my PC to my cable DVR with a Firewire Cable. I am paying to record the tv shows to a hard drive, but I get nothing when I try to find a Vista x64 driver for the devices that show up. Can someone tell me why I shouldn't be able to copy a show from one drive to another when that is when I pay for the chance to record it to a hard drive in the first place, and the cable company doesnt want to let you swap out the drives either.

Thanks to everyone who's commented on this story. You've all made excellent contributions to the general knowledge level on threats and exploits. Keep 'em coming!
-----------------------------------------------
It's amazing how illogical a business built on binary logic can be.

Heh, why does this not surprise me one bit? While XP does support networking via. FireWire, it's been a bit of a pain to get it working right. While you can daisy chain FireWire devices in general, you can't string a few PCs together using Windows.

Anyway, back on topic. For the most part, people don't use their FireWire ports on average and it would be a good idea to disable them. I've disabled all of mine on both my PC and Laptop via. the BIOS as well as in Windows. I also employ a firewall that monitors all processes at the kernel level and before anything can execute, it has to obtain my approval. A good firewall that does a similar job is COMODO firewall, we are currently employing it on our newer remote VPN clients.

Good points, mike from Canada. The FireWire networking support in XP was mainly for a quick-and-dirty two-station network (a sort of supercharged version of the old parallel-port Direct Cable Connection).

Here's the URL for COMODO: http://www.personalfirewall.comodo.com/

It looks like a useful alternative to ZoneAlarm and bundled firewalls - and it's free!
----------------------------------------
It's amazing how illogical a business built on binary logic can be.

Most PC users in a home or office situation are going to be concerned if a tech called in on a software-related task whips out a screwdriver to open the system. However, most of these users probably wouldn't blink if the tech connects a cable between the "diagnostic" system and the system with an alleged problem ("I just need to run some diagnostics, sir" or "These tests will just take a few moments, ma'am").

This type of exploit has "social engineering" written all over it, and that (along with the technical nature of the threat) is why it's dangerous. It doesn't "look" threatening - but it is.

I can reset the passwords of any Windows computer simply by booting off a CD.

I can reset the password of a Mac OS X computer simply by holding Command + S while the computer is starting up which boots the computer in single user mode and allows anyone to change the root password without knowing the existing one.

I can reset the password of a Linux computer by appending single to the boot string (unless the person uses Grub and put a password on it, which is a whole different story).

There are many simpler and much faster ways to gain access to a computer that you have physical access to other than using firewire. So this exploit isn't really that big of a deal because if the attacker already has physical access to your computer, you've lost.

I often keep a spare FireWire or USB cable dangling for a quick ad hoc connection to a peripheral. Now, my office is a private office and I keep it locked, but in a cubicle environment, leaving a FireWire cable available for a peripheral could make it very, very easy for the data thief next door to pull an unused cable, add an extension, plug in their Linux+winlockpwn PC, and presto! A system compromised by a user who never needed to touch the system itself, the keyboard, the CD/DVD drive, etc.

When you consider that Windows XP (but not Vista) supports networking over FireWire, there may be more unattended FireWire cables that nobody's keeping a close watch on than you might suspect.

Anyway, if nothing else, this exploit reminds everyone of why FireWire and USB are fundamentally different technologies and how the difference can be exploited.

I've disabled my FireWire ports until they're needed - and I recommend everyone do the same.
-----------------------------------------
It's amazing how illogical a business built on binary logic can be.

Yeah... You'd be astounded at how many peoplpe don't even know what firewire is, or maybe not, lol. Whenever people call me for internet tech support (work at an isp) they always like to tell me that they have a 1394 connection in the listed network connections, that it has a 169 ip, and that is why they can't access the internet. So this kind of exploit would be super easy to accomplish, as a previous poster mentioned (social engineering, etc) .... Pretty amusing stuff. Could possibly educate the masses on yet another part of thier computer by scaring them into getting the correct knowledge. There is no patch for human stupidity as someone was quoted as saying.